Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,926
Erlang
39
GitHub Actions
38
Go
2,576
Maven
5,000+
npm
4,246
NuGet
754
pip
4,008
Pub
12
RubyGems
953
Rust
1,045
Swift
45
Unreviewed advisories
All unreviewed
5,000+

8,454 advisories

Loading
podman kube play symlink traversal vulnerability High
CVE-2025-9566 was published for github.com/containers/podman/v4 (Go) Sep 4, 2025
Luap99
Credited to Luap99
Mattermost Server: initial_load API exposes unnecessary information High
CVE-2016-11066 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Magento has incorrect authorization issue that leads to arbitrary file system read High
CVE-2025-49556 was published for magento/community-edition (Composer) Aug 12, 2025
Podman Improper Certificate Validation; machine missing TLS verification High
CVE-2025-6032 was published for github.com/containers/podman/v4 (Go) Jun 25, 2025
Luap99
Credited to Luap99
Magento vulnerable to denial of service High
CVE-2025-49554 was published for magento/community-edition (Composer) Aug 12, 2025
Magento vulnerable to stored Cross-Site Scripting (XSS) High
CVE-2025-54264 was published for magento/community-edition (Composer) Oct 14, 2025
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name High
CVE-2025-62172 was published for homeassistant (pip) Oct 14, 2025
pwnpanda
Credited to pwnpanda
Magento provides incorrect authorization through a security feature bypass High
CVE-2025-54263 was published for magento/community-edition (Composer) Oct 14, 2025
NeuVector telemetry sender is vulnerable to MITM and DoS High
CVE-2025-54470 was published for https://github.com/neuvector/neuvector (Go) Oct 21, 2025
astral-tokio-tar Vulnerable to PAX Header Desynchronization High
CVE-2025-62518 was published for astral-tokio-tar (Rust) Oct 21, 2025
woodruffw tycho
azenla anners mnm678 zanieb
Credited to woodruffw, tycho, azenla, anners, mnm678, and zanieb
Taguette password reset link poisoning High
CVE-2025-62527 was published for taguette (pip) Oct 20, 2025
emilvirkki
Credited to emilvirkki
Argo Workflow has a Zipslip Vulnerability High
CVE-2025-62156 was published for github.com/argoproj/argo-workflows/v3 (Go) Oct 14, 2025
im-soohyun J1vvoo
Credited to im-soohyun and J1vvoo
vLLM is vulnerable to timing attack at bearer auth High
CVE-2025-59425 was published for vllm (pip) Oct 7, 2025
NiuBlibing russellb
Credited to NiuBlibing and russellb
Apache Syncope allows malicious administrators to inject Groovy code High
CVE-2025-57738 was published for org.apache.syncope.core:syncope-core-spring (Maven) Oct 20, 2025
Cross-site Scripting (XSS) in @scullyio/scully High
CVE-2020-28470 was published for @scullyio/ng-lib (npm) Apr 13, 2021
Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system High
CVE-2025-47410 was published for org.apache.geode:geode-web (Maven) Oct 18, 2025
Netty has SMTP Command Injection Vulnerability that Allows Email Forgery High
CVE-2025-59419 was published for io.netty:netty-codec-smtp (Maven) Oct 15, 2025
DepthFirstDisclosures
Credited to DepthFirstDisclosures
Ash has authorization bypass when bypass policy condition evaluates to true High
CVE-2025-48044 was published for ash (Erlang) Oct 17, 2025
jechol maennchen
zachdaniel
Credited to jechol, maennchen, and zachdaniel
OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests High
CVE-2025-59043 was published for github.com/openbao/openbao (Go) Oct 17, 2025
phil9909
Credited to phil9909
Bagisto is vulnerable to XSS through Admin Panel's product creation path High
CVE-2025-60880 was published for bagisto/bagisto (Composer) Oct 10, 2025
Git LFS may write to arbitrary files via crafted symlinks High
CVE-2025-26625 was published for github.com/git-lfs/git-lfs (Go) Oct 17, 2025
Regular Expression Denial of Service in is-my-json-valid High
CVE-2016-2537 was published for is-my-json-valid (npm) Oct 24, 2017
shaked-seal
Credited to shaked-seal
ReDoS Vulnerability in ua-parser-js version High
CVE-2022-25927 was published for ua-parser-js (npm) Jan 24, 2023
G-Rath timtheguy-bs
Credited to G-Rath and timtheguy-bs
MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS High
CVE-2025-62506 was published for github.com/minio/minio (Go) Oct 16, 2025
donatello
Credited to donatello
Angular SSR has a Server-Side Request Forgery (SSRF) flaw High
CVE-2025-62427 was published for @angular/ssr (npm) Oct 16, 2025
meDavidNS securityMB
jkrems alan-agius4 josephperrott
Credited to meDavidNS, securityMB, jkrems, alan-agius4, and josephperrott
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database